Social engineering for espionage

and for profit


source:  |  image:


At a glance.

  • Okta discloses a data exposure incident.
  • Cisco works to fix zero-day.
  • DPRK threat actors pose as IT workers.
  • Five Eyes warn of AI-enabled Chinese espionage.
  • Job posting as phishbait.
  • The risk of first-party fraud.
  • The Quasar RAT and DLL side-loading.
  • Hacktivists trouble humanitarian organizations with nuisance attacks.
  • Content moderation during wartime.
  • Not content-moderation, but fact-checking.
  • Cyberespionage at the ICC.

Okta discloses a data breach.

Identity and access management company Okta has disclosed a data breach affecting some of the company’s customers. The company stated, “The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases. It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted. In addition, the Auth0/CIC case management system is not impacted by this incident.”

BeyondTrust, which discovered the breach, stated, “The incident was the result of Okta’s support system being compromised which allowed an attacker to access sensitive files uploaded by their customers. The incident began when BeyondTrust security teams detected an attacker trying to access an in-house Okta administrator account using a valid session cookie stolen from Okta’s support system. Custom policy controls blocked the attacker’s initial activity, but limitations in Okta’s security model allowed them to perform a few confined actions.” 

KrebsOnSecurity notes that “it appears the hackers responsible had access to Okta’s support platform for at least two weeks before the company fully contained the intrusion.” For more on this incident, see CyberWire Pro.

Cisco works to fix zero-day.

Cisco has disclosed a new zero-day vulnerability (CVE-2023-20273) that was used to deploy malware on IOS XE devices devices compromised via CVE-2023-20198, another zero-day the company disclosed last week, BleepingComputer reports. According to data from Censys, as of October 18th nearly 42,000 Cisco devices had been compromised by the backdoor, though that number is steadily falling. Cisco said in an update on Friday that “[f]ixes for both CVE-2023-20198 and CVE-2023-20273 are estimated to be available on October 22.”

Cisco stated, “The CVE-2023-20198 vulnerability received the highest Common Vulnerability Scoring System (CVSS) score (10/critical). Successful exploitation allows the attacker to gain access to the device with full administrator privileges. After compromising the device, we observed the adversary exploit a second vulnerability (CVE-2023-20273), which affects another component of the Web UI feature, to install the implant. This allows the attacker to run arbitrary commands with elevated (root) privileges, thereby effectively taking full control of the device. In this particular attack, the actor then used the ability to run arbitrary commands to write the implant to the file system. CVE-2023-20273 has a CVSS score of 7.2 (high).”

DPRK threat actors pose as IT workers.

The FBI has issued a public service announcement offering “guidance to the international community, the private sector, and the public to better understand and guard against the inadvertent recruitment, hiring, and facilitation” of North Korean IT workers. The Bureau notes that “[t]he hiring or supporting of DPRK IT workers continues to pose many risks, ranging from theft of intellectual property, data, and funds, to reputational harm and legal consequences, including sanctions under U.S., ROK, and United Nations (UN) authorities.” For more on North Korean operators out job hunting, see CyberWire Pro.

Five Eyes warn of AI-enabled Chinese espionage.

In an “unprecedented” joint call by Five Eyes counterintelligence leaders last Tuesday, the officials called out Beijing for what they characterized as theft of intellectual property on an “unprecedented” scale. The Five Eyes–Australia, Canada, New Zealand, the United Kingdom, and the United States–called on industry and universities to help counter this threat of Chinese espionage. Such espionage is nothing new, but what the Five Eyes find particularly unsettling, is the use of artificial intelligence in these campaigns, given its potential to amplify and augment the threat. The Five Eyes’ counterintelligence leads have been unusually open in their assessment of the Chinese espionage threat. They took their concerns to the broader public in an unprecedented joint appearance on CBS News’ “60 Minutes” this Sunday. For more on the warning, see CyberWire Pro.

Job posting as phishbait.

WithSecure is tracking a cluster of Vietnamese cybercriminal groups that are using phony job postings to distribute malware-laden documents: “WithSecure Detection and Response Team (DRT) detected and identified multiple DarkGate malware infection attempts against WithSecure Managed Detection and Response (MDR) customers in the UK, US, and India. It rapidly became apparent that the lure documents and targeting were very similar to recent DuckTail infostealer campaigns, and it was possible to pivot through open source data from the DarkGate campaign to multiple other infostealers which are very likely being used by the same actor/group.”

The criminals are primarily interested in stealing information and hijacking Facebook Business accounts. For more on the DarkGate campaign, see CyberWire Pro.

The risk of first-party fraud.

Socure has published a report finding that first-party fraud, “in which people use their own identity to commit a dishonest act for financial gain,” costs US financial institutions more than $100 billion per year. Additionally, the survey found that “more than one in three Americans (35%) admit to committing first-party fraud themselves.” The researchers explain, “This includes requesting a refund on an online purchase by falsely claiming that a delivery has been lost, choosing not to pay off credit card bills indefinitely, making a purchase through a ‘Buy Now Pay Later’ (BNPL) loan or maxing out a credit card with no intention of paying it off, or disputing a legitimate financial transaction.”

The Quasar RAT and DLL side-loading.

Researchers at Uptycs warn that the open-source Quasar RAT malware is exhibiting DLL side-loading via two legitimate Windows files, ‘ctfmon.exe’ and ‘calc.exe.’ The researchers explain, “In the initial phase, the attacker harnesses ‘ctfmon.exe,’ which is an authentic Microsoft file. By doing so, they load a malicious DLL which, to the untrained eye, would seem benign because of its disguised name.” This first stage payload is the gateway for subsequent actions on the objective. This payload launches the legitimate ‘calc.exe’ file and the malicious DLL. “Calc.exe” sets the malicious DLL in motion, and that results in “the infiltration of the ‘QuasarRAT’ payload into the computer’s memory, reflecting the attacker’s adeptness at circumventing security mechanisms.”

Hacktivists trouble humanitarian organizations with nuisance attacks.

Pro-Hamas (or at least anti-Israeli) hacktivists disrupted some online services in an unspecified cyberattack against Tel Aviv’s Sheba Medical Center at Tel Hashomer. The hospital took itself offline and reverted to manual operations, but patient care has continued. The Jerusalem Post reports that the Israeli health ministry has disconnected several other hospitals from the Internet as a precautionary measure. The Jerusalem Post also reports that the website of the Israeli Chevra Kadisha (Jewish Burial Society) was defaced Saturday with anti-semitic slurs and images. The defaced pages displayed the coup-counting claim “hacked by x7root.”

These incidents appear to be instances of a larger trend: humanitarian organizations serving people on both sides of the conflict have increasingly come under hacktivist attack, the Wall Street Journal reports.

Content moderation during wartime.

The European Commission is waiting for satisfactory responses from X (the platform formerly known as Twitter), TikTok, and Meta (corporate parent of Facebook and Instagram) to allegations that they’re out of compliance with the anti-disinformation and anti-hate speech provisions of the EU’s Digital Services Act.

The European Commission’s inquiries are directed principally against disinformation and hate speech aligned with Hamas, but content moderation, ineffectual as it may have been, has apparently had adverse effect on the Palestinian population in Gaza. WIRED describes some of the ways in which moderation amounts to shadow banning, making it difficult for Palestinians to share warnings, information about basic necessities, and personal news with family members.

Content moderation has remained notoriously labor-intensive and difficult. It becomes more so as people determined to communicate find codewords, slang, typographic substitutions, and various forms of intensionality that enable them to evade the automated tools moderators use to make their workload more tractable. The Washington Post has an account of how pro-Palestinian social media users are employing such measures to circumvent platforms’ content moderation.

Eastern Europe and the Middle East aren’t the only conflict zones manifested in cyberspace that are outrunning platforms’ content moderation. Bellingcat describes how Hindu nationalists are taking advantage of YouTube’s Art Tracks autogeneration functionality to produce Hindutva Pop, a genre associated, bellingcat says, with incitement to violence against Muslims and calls for Muslims’ expulsion from India.

Not content-moderation, but fact-checking.

The AP is running a piece debunking some false claims made online about the Hamas-Israel war.

Cyberespionage at the ICC.

The International Criminal Court (ICC) has confirmed, TechCrunch reports, that a cyberattack it sustained in September was indeed cyberespionage. “The attack can therefore be interpreted as a serious attempt to undermine the court’s mandate,” the ICC said. The ICC hasn’t determined what government is behind the attack, but it’s almost certainly Russia, which has been determinedly hostile to the court since it issued a warrant for President Putin’s arrest. (Russia retaliated by issuing its own arrest warrants for the court’s president, deputy, chief prosecutor, and one judge.) The ICC expects to be the target of disinformation campaigns designed to destroy its legitimacy, and it views September’s cyberespionage as preparatory work for that disinformation. The ICC has briefly outlined the steps it’s taken to mitigate the attack, and says that Dutch police are investigating the incident.